Intermittent issue occurs, While handshake between iOS Native Application to MobileFirst 7.1.0.00.20180425-1124
Findings
- Found out the "scope" query parameter is sent to the server as an empty string.
Here i am trying to WWW-authenticate, based Custom authrealm.
Actual URL
http://localhost:8080/BA/authorization/v1/authorization?client_id=rr4a6042193a89c44a8d2415874ef6d279123456
&isAjaxRequest=true&redirect_uri=http%3A%2F%2Fmfpredirecturi&response_type=code&scope=
Excpected URL
http://localhost:8080/BA/authorization/v1/authorization?client_id=rr4a6042193a89c44a8d2415874ef6d279123456
&isAjaxRequest=true&redirect_uri=http%3A%2F%2Fmfpredirecturi&response_type=code&scope=UserAuthRealm
- As per worklight-jee-library.jar -- com.worklight.authorization.endpoint.token.TokenEndpoint
public key is not matched.
if (!Bytes.areEqual(clientPublicKey, jwsParts.getPublicKey().getEncoded())){
logger.debug(method, "JWS signature does not match the client ID");
return false;
}
return true;
- So far issue occurred in iOS 12 devices. not in other version of OS
And please find configuration used..
application-descriptor.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<nativeIOSApp xmlns="http://www.worklight.com/native-ios-descriptor" applicationId="**App" bundleId="com.xxx.mobile" id="**App" platformVersion="7.1.0.00.20160528-1648" securityTest="CustomAppAuthenticityAutoProvTest" version="7.2">
<displayName>iOS</displayName>
<description>iOS Mobile App</description>
<accessTokenExpiration>1800</accessTokenExpiration>
<userIdentityRealms>UserAuthRealm</userIdentityRealms>
<pushSender password="*********"/>
<licenseAppType>APPLICATION</licenseAppType>
<targetCategory>B2C</targetCategory>
</nativeIOSApp>
conf/authenticationConfig.xml
<realm name="UserAuthRealm" loginModule="CustomAuthLoginModule">
<className>com.ibm.mfp.CustomUserAuthenticator</className>
</realm>
worklight.properties
mfp.session.independent=true
mfp.attrStore.type=database
Device Details
{
"x-wl-clientlog-env":"iOSnative",
"x-wl-clientlog-appversion":"7.0","
"x-wl-clientlog-model":"iPhone8,2",
"x-wl-clientlog-osversion":"12.0",
"x-wl-clientlog-appname":"iOSWLApp"
}
Response
{
"error_description":"Client authentication failed",
"error":"invalid_client"
}
Message.log
00002171 com.worklight.core.auth.impl.AuthorizationFilterUtils
E FWLSE0376E: JWS signed ClientId signature does not match the client ID
0000285b com.worklight.oauth.validation.Validator
I OAuthTAI Authentication failed with Status = 401, WWW-Authenticate: Bearer realm="imfAuthentication", scope=""
Trace.log
[1/27/19 19:08:25:434 GST] 0000285b id= com.worklight.oauth.validation.Validator > validate ENTRY
[1/27/19 19:08:25:434 GST] 0000285b id= com.worklight.oauth.validation.Validator 1 validate missing_authorization
[1/27/19 19:08:25:434 GST] 0000285b id= com.worklight.oauth.validation.Validator I processErrorCode OAuthTAI Authentication failed with Status = 401, WWW-Authenticate: Bearer realm="imfAuthentication", scope=""
[1/27/19 19:08:25:434 GST] 0000285b id= com.worklight.adapters.rest.WLShouldCompressPredicat 1 shouldCompress Request: http://localhost:8080/MA/adapters/AccessAdapter/getDetails disableCompressionAttr=null [1/27/19 19:08:25:434 GST] 0000285b id= com.worklight.adapters.rest.WLShouldCompressPredicat 1 shouldCompress Request: http://localhost:8080/MA/adapters/AccessAdapter/getDetails acceptGZipEncoding=true
[1/27/19 19:08:25:435 GST] 0000285b id= com.worklight.common.util.BaseProjectLocal 1 unset unset ProjectLocal
[1/27/19 19:08:25:435 GST] 0000285b id= com.worklight.common.util.BaseProjectLocal 3 unset java.lang.Throwable at com.worklight.common.util.BaseProjectLocal.unset(BaseProjectLocal.java:114) at com.worklight.core.auth.impl.MFPRequestListener.requestDestroyed(MFPRequestListener.java:24) at com.ibm.ws.webcontainer.webapp.WebApp.notifyServletRequestDestroyed(WebApp.java:2747)
